3 Answers
3

We use an anomaly based detection engine. There is definitely a high false positive rate and the learning phase can take up a lot of time. In my experience, an IDS that is OS and application aware is still a better option. While we have found some interesting things, it is not useful unless you have the staff to maintain it and sift through all of the false positives. I would say they are coming along but are not for everyone.

The problem will usually be defining "normal" traffic against which you can detect the anomalies. From past research, ensemble classifiers seem to be most efficient in lowering your false positives. I myself worked researching a lot of these algorithms and it's still under heavy research. Another area is Artificial Immune Systems in a combination of IDS and Incident Response technology.

However I found that while it is easy to sell the funding of a project to senior management to purchase nice and cool new security devices that are going to totally protect your applications (debate!), the problem comes when that funding has run out before the learning phase has been completed. This is even more of a problem when the applications the WAF should be protecting are based on hugely complex business logic.

When this happens the result is a WAF that is left in monitor mode only, without the real time protection that the device was supposed to be providing.

On a positive note (and from experience!!) even WAF's in monitor mode can be vital during an incident response - even if this is being a source of logging that captures the entire attack in csv format. ;-)